Sarbanes-Oxley Compliance Services

What you should know about SOX and Miles Consulting's SOX services  
If you have a company that's gone public or will go public, the Sarbanes-Oxley Act affects you. Named after Senator Paul Sarbanes and Representative Michael G. Oxley, the act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002) became a law in July 2002 in response to the Enron scandal and other examples of unethical behavior in the business community.
 
The act imposes strict financial reporting requirements on publicly traded companies, holding them to a new level of accountability. Those companies must implement, if not already in place, policies and controls that demonstrate to investors the use of best practices in managing financial systems as well as in protecting corporate data and access to that data.
 
IT systems are the tool with which companies manage financial systems. That means, given the law, systems are to be audited and companies must remediate issues to meet the spirit of the law. Checking compliance usually falls to third party auditors from well-established accounting firms.
 
Three numbers that can impact your business
The Sarbanes-Oxley Act features numerous sections; however, three of them—302, 404 and 409—offer the greatest potential impact on companies and how the companies conduct business.

Section 404 requires an Internal Control Report to be included in all annual financial reports. Created by a company's auditor, the document must present management's assertions about the design and operational effectiveness of internal controls at year end. Management must also evaluate the effectiveness of internal controls over financial reporting and disclosure controls on a quarterly basis.
 
With Section 302, the CEO and CFO of a company are responsible for the accuracy, documentation and submission of financial reports and internal control structure to the SEC. Certifications signed by those two principal officers must be included in the annual or quarterly reports.
 
Information must be accumulated and summarized for timely assessment and disclosure in accordance to the SEC's rules and regulations. When Section 404 compliance is required in about a year, companies must be able to disclose on a near real-time basis—up to 48 hours—any changes in their financial condition or operations.
 
Section 404 and IT.

We're often engaged only for a SOX IT Audit.  In general, Section 404 is the tallest mountain to climb, with key areas regarding IT controls:
  • Change Management
    Companies must provide visibility over changes in the IT environment and enable the ability to initiate, authorize, manage and implement all IT changes through a systematic change process.
  • Backup
    A process must be deployed to identify critical data and to duplicate, store and recover data as needed.
  • Security
    A process must be deployed to ensure the integrity of information and secure applications, databases, operating systems, internal network access and perimeter network.
  • Documentation
    Companies must deliver thorough documentation to cover change management, back up and security policies and processes.
  • Remediation
    Companies must have solutions to fill gaps in change management, backup and security.
Read more about challenges with Sarbanes-Oxley Compliance

© 2014 Pay Per Cloud Professional Services | Sitemap | Legal